Method and system for providing wireless vulnerability management for local area computer networks

ABSTRACT

A Software-as-a-Service (SaaS) based method for providing wireless vulnerability management for local area computer networks. The method includes providing a security server being hosted by a service provider entity to provide analysis of data associated with wireless vulnerability management for a plurality of local area computer networks of a plurality of customer entities, respectively. The method includes creating a workspace for wireless vulnerability management for a customer entity on the security server and receiving configuration information associated with the workspace. The method also includes supplying one or more sniffers to the customer entity. The method includes receiving at the security server information associated with wireless activity monitored by the one or more sniffers at premises of the customer entity and processing the received information within the workspace for the customer entity using the security server. The method includes metering usage of the workspace for wireless vulnerability management for the customer entity.

CROSS-REFERENCES TO RELATED APPLICATIONS

This present application claims priority to commonly owned U.S.Provisional Application No. 60/985,652, entitled “Hosted WirelessVulnerability Assessment Service and Related Methods and Systems”, filedon Nov. 6, 2007, which is hereby incorporated by reference herein.

BACKGROUND OF THE INVENTION

The present invention relates generally to wireless computer networkingtechniques. More particularly, the invention provides a method and asystem for providing wireless vulnerability management for local areacomputer networks according to a specific embodiment. Merely by way ofexample, the invention has been applied to a computer networkingenvironment based upon the IEEE 802.11 family of standards, commonlycalled “WiFi.” But it would be recognized that the invention has a muchbroader range of applicability. For example, the invention can beapplied to Ultra Wide Band (“UWB”), IEEE 802.16 commonly known as“WiMAX”, Bluetooth, and others.

Computer systems proliferated from academic and specialized scienceapplications to day to day business, commerce, information distribution,and home applications. Such systems include personal computers, whichare often called “PCs” for short, to large mainframe and server classcomputers. Powerful mainframe and server class computers run specializedapplications for banks, small and large companies, e-commerce vendors,and governments. Smaller personal computers can be found in many if notall offices, homes, and even local coffee shops. These computersinterconnect with each other through computer communication networksbased on packet switching technology such as the Internet protocol (IP).The computer systems located within a specific local geographic regionsuch as office, home, retail outlet, or other indoor and outdoorpremises interconnect using a Local Area Network, commonly called, LAN.Ethernet is by far the most popular networking technology for LANs. TheLANs interconnect with each other using a Wide Area Network called “WAN”such as the famous Internet. The LANs are typically coupled to theInternet through firewalls. The LANs are typically considered as privatenetworks, while the Internet is considered as a public network. Althoughmuch progress occurred with computers and networking, we now face avariety of security threats on many computing environments from thehackers connecting to the computer network in an unauthorized fashion.The application of wireless communication to computer networking furtheraccentuates these threats.

As merely an example, the conventional LAN is usually deployed using anEthernet based infrastructure comprising cables, hubs switches, andother elements. A number of connection ports (e.g., Ethernet ports) areused to couple various computer systems to the LAN. A user can connectto the LAN by physically attaching a computing device such as laptop,desktop or handheld computer to one of the connection ports usingphysical wires or cables. Other computer systems such as databasecomputers, server computers, routers and Internet gateways also connectto the LAN to provide specific functionalities and services. Oncephysically connected to the LAN, the user often accesses a variety ofservices such as file transfer, remote login, email, word wide web,database access, and voice over IP. Security of the LAN often occurs bycontrolling access to the physical space where the LAN connection portsare located.

Although conventional wired networks using Ethernet technologyproliferated, wireless communication technologies are increasing inpopularity. That is, wireless communication technologies wirelesslyconnect users to the computer communication networks. A typicalapplication of these technologies provides wireless access to the localarea network in the office, home, public hot-spots, and othergeographical locations. As merely an example, the IEEE 802.11 family ofstandards, commonly called WiFi, is the common standard for suchwireless application. Among WiFi, the 802.11b standard-based WiFi oftenoperates at 2.4 GHz unlicensed radio frequency spectrum and can offerwireless connectivity at speeds up to 11 Mbps. The 802.11g compliantWiFi can offer even faster connectivity up to 54 Mbps and can operate at2.4 GHz unlicensed radio frequency spectrum. The 802.11a can providespeeds up to 54 Mbps operating in the 5 GHz unlicensed radio frequencyspectrum. The 802.11n can provide speeds up to 600 Mbps using techniquessuch as channel bonding and MIMO (multiple input multiple output). TheWiFi enables a quick and effective way of providing wireless extensionto the conventional wired LAN.

In order to provide wireless extension of the LAN using WiFi, one ormore WiFi access points (APs) connect to the LAN connection ports eitherdirectly or through intermediate equipment such as WiFi switch. A usernow wirelessly connects to the LAN using a device equipped with WiFiradio, commonly called wireless station, wireless client, or simplystation or client, which communicates with the AP. The connection isfree from cable and other physical encumbrances and allows the user to“Surf the Web”, check e-mail or use enterprise computer applications inan easy and efficient manner. Unfortunately, certain limitations stillexist with WiFi. That is, the radio waves often cannot be contained inthe physical space bounded by physical structures such as the walls of abuilding. Hence, wireless signals often spill outside the area ofinterest. Unauthorized users can wirelessly connect to the AP and hencegain access to the LAN from the spillage areas such as the street,parking lot, and neighbor's premises. Consequently, the conventionalsecurity measure of controlling access to the physical space where theLAN connection ports are located is now inadequate.

In order to prevent unauthorized access to the LAN over WiFi, the AP canemploy certain techniques. For example, the user is required to carryout authentication handshake with the AP (or a WiFi switch that residesbetween the AP and the LAN) before being able to connect to the LAN.Examples of such handshake are Wireless Equivalent Privacy (WEP) basedshared key authentication, 802.1x based port access control, 802.11ibased authentication etc. The AP can provide additional securitymeasures such as encryption, firewall, and station MAC address basedaccess control. Other techniques also exist to enhance security of theLAN over WiFi.

Despite these measures, many limitations still exist with WiFi. Hackersare increasingly exploiting these limitations as a way to attack theLANs of the organizations. As merely an example, as recently reported inthe Wall Street Journal (see “Breaking The Code How Credit-Card DataWent Out Wireless Door”, The Wall Street Journal, May 4, 2007), wirelesscommunications were used to steal 45.7 million credit and debit cardnumbers from the LAN of the TJX Cos. of Framingham, Mass. It is alsoreported that the TJX's breach-related bill could surpass $1 billionover five years. As another example, the organizations often failsecurity audits on grounds of wireless vulnerabilities. Many of theseorganizations are also required to be compliant with regulatorystandards such as PCI-DSS (Payment Card Industry Data SecurityStandard), HIPAA (Healthcare Insurance Portability and AccountabilityAct) etc. Failure of security audits can attract monetary and statutorypenalties.

Appropriate security mechanisms are thus needed to protect the LANresources from wireless intruders. Accordingly, techniques for improvingsecurity for local area network environments are highly desirable.

SUMMARY OF THE INVENTION

The present invention relates generally to wireless computer networkingtechniques. More particularly, the invention provides a method and asystem for providing wireless vulnerability management for local areacomputer networks. Merely by way of example, the invention has beenapplied to a computer networking environment based upon the IEEE 802.11family of standards, commonly called “WiFi.” But it would be recognizedthat the invention has a much broader range of applicability. Forexample, the invention can be applied to Ultra Wide Band (“UWB”), IEEE802.16 commonly known as “WiMAX”, Bluetooth, and others.

One of the objects of the present invention is to provide wirelessvulnerability management as Software-as-a-Service (SaaS). The inventionprovides for wireless vulnerability management for local area computernetworks to be provided as a hosted service. The invention provides forcustomer entities subscribing for wireless vulnerability managementservice with a service provider entity. The service provider entity canhost and operate a wireless vulnerability management server. Thecustomer entities deploy sniffers supplied by the service providerentity on their premises. The sniffers monitor wireless activity andreport the associated information to the server. Each of the customerentities can customize the processing of the information reported by itssniffers. The customers can pay for the wireless vulnerabilitymanagement based upon their usage of various wireless vulnerabilitymanagement features.

According to a specific embodiment, a Software as a Service (SaaS) basedmethod is provided for providing wireless vulnerability management forlocal area computer networks. The method includes providing a securityserver. The security server can be hosted by a service provider entity.Moreover, the security server is coupled to the Internet and is adaptedto provide analysis of data associated with wireless vulnerabilitymanagement for a plurality of local area computer networks of aplurality of customer entities, respectively. For example, the customerentity can be retail organization, hospital, financial institution,educational institution, defense organization, federal institution, orany other organization which uses a local area network to conduct itsbusiness and desires to protect its local area network from wirelessvulnerabilities. The local area network (e.g., private network) of thecustomer entity is coupled to the Internet through a customer sidefirewall. In an embodiment, the service provider entity can be abusiness entity separate from the customer entity. Examples of theservice provider entity include among others managed service provider(MSP), application service provider (ASP), remote network managementprovider, auditor, penetration tester and like. The security server canbe coupled to a local area network of the service provider entity. Thelocal area network of the service provider entity can be coupled to theInternet through a service provider side firewall. In an embodiment, thesecurity server can comprise one or more interconnected computers.

The method also includes creating a workspace for wireless vulnerabilitymanagement for a customer entity on the security server. In anembodiment, the creating the workspace is responsive to a request fromthe customer entity to subscribe to wireless vulnerability managementservice. The method includes receiving configuration informationassociated with the workspace for the customer entity at the securityserver.

Moreover, the method includes supplying one or more sniffers to thecustomer entity. In an embodiment, at least one of the one or moresniffers is a sniffer device and the supplying the one or more sniffersincludes shipping the sniffer device to the customer entity. In analternative embodiment, at least one of the one or more sniffers is asoftware adapted to perform sniffer functionality. In this embodiment,the supplying the one or more sniffers includes making the sniffersoftware available to the customer entity for downloading (e.g.,downloading over the Internet).

The method includes deploying the one or more sniffers at premises ofthe customer entity, and subsequently receiving connection requests atthe security server over the Internet from the one or more sniffers. Themethod also includes associating identities of the one or more snifferswith the workspace for the customer entity at the security server. Theone or more sniffers scan radio channels and collect informationassociated with wireless activity observed on those radio channels. Themethod includes receiving at the security server information associatedwith wireless activity monitored by the one or more sniffers at thepremises of the customer entity. The information is received from theone or more sniffers over the Internet. Moreover, the method includesprocessing the received information associated with the wirelessactivity within the workspace for the customer entity using the securityserver and metering usage of the workspace for wireless vulnerabilitymanagement for the customer entity. In an embodiment, a level ofsubscription (e.g., trial, paid, partially paid) etc. may be associatedwith the workspace. In an embodiment, the metering can include trackingor accounting the usage of the workspace. In an alternative embodiment,the metering can include charging the customer entity for the usage ofthe workspace. Yet alternatively, the metering can include charging thecustomer entity for the usage of the workspace based at least upon thetracked or accounted usage of the workspace.

In an embodiment of the present invention, wireless vulnerabilitymanagement is provided for the plurality of local area computer networksof the plurality of customer entities, respectively, in a substantiallyconcurrent manner.

According to an alternative specific embodiment, a server systemcomprising one or more interconnected computers is provided. The one ormore interconnected computers are adapted to provide wirelessvulnerability management based upon Software as a Service (SaaS) for aplurality of private computer networks of a plurality of customerentities, respectively. These computers are programmed to execute thestep of receiving information associated with wireless activity from aplurality of sets of sniffers over the Internet. These plurality of setsof sniffers are positioned within premises of the plurality of customerentities, respectively, in a preferred embodiment. The computers arealso programmed to execute the step of maintaining a plurality ofworkspaces for wireless vulnerability management for the plurality ofcustomer entities, respectively. They are programmed to execute the stepof identifying a plurality of portions of the received information thatare associated with the plurality of customer entities, respectively.The computers are programmed to execute the step of processing theplurality of portions within the plurality of workspaces, respectively.They are also programmed to execute the steps of metering usages of theplurality of workspaces and generating billing data for the plurality ofcustomer entities based at least upon the metering.

According to yet an alternative specific embodiment, aSoftware-as-a-Service (SaaS) based method is provided for availingwireless vulnerability management for local area computer network. Themethod includes generating a request for wireless vulnerabilitymanagement for a local area network of a customer entity and receivinglogin information associated with a workspace for the customer entity.In this embodiment, the workspace is created on a security server toprovide wireless vulnerability management for the local area network ofthe customer entity. Moreover, the security server can be hosted by aservice provider entity. The security server is coupled to the Internetand is adapted to provide analysis of data associated with wirelessvulnerability management for a plurality of local area computer networksof a plurality of customer entities, respectively.

The method includes providing configuration information associated withthe workspace for the customer entity to the security server. The methodalso includes receiving one or more sniffers at premises of the firstcustomer entity and connecting the one or more sniffers to the localarea network of the first customer entity. Moreover, the method includesgenerating connection requests to the security server over the Internetfrom the one or more sniffers, respectively, subsequent to the one ormore sniffers being connected to the local area network of the firstcustomer entity. The method includes transferring identity informationfrom the one or more sniffers to the security server. This identityinformation can be used to associate the one or more sniffers with theworkspace for the first customer entity.

The method also includes sending to the security server informationassociated with wireless activity monitored by the one or more sniffersat the premises of the first customer entity. The information is sentfrom the one or more sniffers to the security server over the Internet.The method includes receiving results from processing of the sentinformation associated with the wireless activity. The processing isperformed using the security server and is performed within theworkspace for the customer entity. Depending upon embodiment, theresults can include alerts (alarms), reports, displayed information etc.The method includes generating payment authorization based at least uponusage of the workspace for the customer entity.

According to a further alternative specific embodiment, a servercomputer adapted to provide wireless vulnerability management asSoftware-as-a-Service (SaaS) for a plurality of private computernetworks of a plurality of customer entities, respectively, is provided.The server computer comprises a memory unit storing computer executableinstructions and a processor unit for executing the computer executableinstructions. Moreover, the server computer comprises a communicationinterface for coupling the server computer to a computer network. Thecomputer executable instructions are adapted to perform the step ofreceiving information associated with wireless activity using thecommunication interface from a plurality of sets of sniffers over theInternet, the plurality of sets of sniffers being positioned withinpremises of the plurality of customer entities, respectively. Thecomputer executable instructions are also adapted to perform the step ofmaintaining a plurality of workspaces for wireless vulnerabilitymanagement within the memory unit for the plurality of customerentities, respectively. The instructions are adapted to perform thesteps of identifying a plurality of portions of the received informationthat are associated with the plurality of customer entities,respectively, and processing the plurality of portions using theprocessor unit in accordance with the plurality of workspaces,respectively. The server computer is also provided with a power adapterfor coupling the server computer to a source of power. Preferably, theprocessor unit, the memory unit, the communication interface, and thepower adapter are provided within a single enclosure.

Various advantages and/or benefits may be achieved from variousembodiments of the present invention. The present inventionadvantageously provides for the security server to be hosted by aservice provider entity, which is separate from a customer entity whichowns/operates/uses the LAN for which wireless vulnerability managementis desirable. The security server can be often geographically remote tothe customer premises. Advantageously, the present invention providesfor the expensive security server resources to be shared across aplurality of customer entities. The method and system according to thepresent invention can reduce overhead of deployment and operation of thewireless vulnerability management system for the customer entities. Byproviding for subscription based model for wireless vulnerabilitymanagement, entry cost is reduced for the customer entities. Thetechniques according to present invention can also facilitate for thecustomer entities starting small with wireless vulnerability managementand then grow as the budgets become available. An embodiment of thepresent invention also facilitates the customer entities to customizetheir workspace per their security needs, compliance requirements,budgets etc. These features make wireless vulnerability managementaffordable and feasible for customer entities. This in turn can reduceoccurrences of security breaches and audit failures for the customerentities. For example, the technique can prevent theft of credit carddata, social security number data etc. from the LANs of the customerentities. In an embodiment, the system and the method according to thepresent invention can be implemented using “Web 2.0” framework, and thusprovide benefits associated with the Web 2.0 framework.

These and various other objects, features and advantages of the presentinvention can be more fully appreciated with reference to the detaileddescription and accompanying drawings that follow.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A illustrates an exemplary conventional WIDS/WIPS systemconfiguration for wireless security for local area computer networks.

FIG. 1B illustrates an exemplary SaaS (Software-as-a-Service) systemconfiguration for wireless vulnerability management for local areacomputer networks according to an embodiment of the present invention.

FIG. 2 illustrates an exemplary logical flow of steps in a method forwireless vulnerability management for local area computer networksaccording to an embodiment of the present invention.

FIG. 3A illustrates an exemplary computer screenshot to facilitateinputting information associated with authorized wireless networkaccording to an embodiment of the present invention.

FIG. 3B illustrates another exemplary computer screenshot to facilitateinputting information associated with authorized wireless networkaccording to an embodiment of the present invention.

FIG. 4A illustrates an exemplary computer screenshot to facilitateinputting information associated with intrusion prevention configurationaccording to an embodiment of the present invention.

FIG. 4B illustrates an exemplary computer screenshot to facilitateinputting information associated with notification preferences accordingto an embodiment of the present invention.

FIG. 4C illustrates an exemplary computer screenshot to facilitateinputting information associated with wireless vulnerability reports tobe generated according to an embodiment of the present invention.

FIG. 4D illustrates another exemplary computer screenshot to facilitateinputting information associated with wireless vulnerability reports tobe generated according to an embodiment of the present invention.

FIG. 4E illustrates an exemplary computer screenshot to facilitateinputting physical location information associated with customer siteaccording to an embodiment of the present invention.

FIG. 5 illustrates an exemplary computer screenshot to display wirelessactivity information according to an embodiment of the presentinvention.

FIG. 6 illustrates an exemplary schematic diagram of sniffer deviceaccording to an embodiment of the present invention.

FIG. 7 illustrates an exemplary schematic diagram of security serversystem according to an embodiment of the present invention.

FIG. 8 illustrates an exemplary logical flow of steps in a method forcertain wireless intrusion detection and prevention according to anembodiment of the present invention.

FIG. 9 illustrates an exemplary logical flow of steps in a certainmethod for maintaining list of active access points according to anembodiment of the present invention.

FIG. 10 illustrates an exemplary logical flow of steps in a certainmethod for protecting WEP communications according to an embodiment ofthe present invention.

FIG. 11 illustrates an exemplary logical flow of steps in a certainmethod for detecting MAC address spoofing according to an embodiment ofthe present invention.

FIG. 12 illustrates an exemplary logical flow of steps in a method fordetecting certain denial of service attack according to an embodiment ofthe present invention.

FIG. 13A illustrates an exemplary logical flow of steps in a method forRF visualization for sniffer coverage according to an embodiment of thepresent invention.

FIG. 13B illustrates an exemplary computer screenshot displaying sniffercoverage according to an embodiment of the present invention.

DESCRIPTION OF THE SPECIFIC EMBODIMENTS

Wireless devices have become ubiquitous and easily available. As merelyan example, these include wireless devices using IEEE 802.11 family ofstandards (commonly referred to as “WiFi”). The WiFi devices can includeWiFi Access Points (APs) as well as client devices such as laptops withwireless connectivity, wireless handheld scanners, mobile phones etc.These devices have become all too commonplace—in and around homes,coffee shops, public and municipal areas, and business premises oftypical organizations which often include private networks (e.g., localarea networks (LANs)) of those organizations.

Hackers are increasingly using wireless communication as a way to attackthe LANs of the organizations. As merely an example, as recentlyreported in the Wall Street Journal, wireless communications were usedto steal 45.7 million credit and debit card numbers from the LAN of theTJX Cos. of Framingham, Mass. It is also reported that the TJX'sbreach-related bill could surpass $1 billion over five years.

Proliferation of wireless communication creates a variety ofvulnerabilities for the LAN. Examples of these vulnerabilities include,but not limited to:

Unmanaged APs: Unmanaged AP can be an AP that is installed on the LAN ofthe organization by unassuming or malicious employee without theknowledge of the owner/administrator of the network. Such an AP may notemploy the right security controls and can provide a way for hackers toaccess the LAN in an unauthorized manner.

Outdated Security Controls: Wireless devices that use outdated or weaksecurity controls provide avenues for hackers to get into the LAN in anunauthorized manner. They can also enable hackers to eavesdrop on thewireless communication in the LAN. As merely an example, a wirelessencryption technique called WEP (Wired Equivalent Privacy) is a weakform of encryption and it can be evaded by hackers using software toolsthat are openly available. Examples include aircrack, aircrack-ptw etc.Use of WEP for wireless communication in the LAN can provide a way forhackers to access the LAN in an unauthorized manner. For example, thehacker can recover the secret key used in WEP encryption using these andother hacking tools and use it to obtain access to the LAN. The hackercan also eavesdrop on wireless communication in the LAN using this key.

Unauthorized Wireless Connections: Stations with built-in wirelesscommunications capability (e.g., laptops using Centrino technology fromIntel Corporation of Santa Clara, Calif.) can engage in unauthorizedwireless connections, either accidentally or maliciously. For example,the WiFi radios in the stations are often configured to connect to theAP with strongest signal strength. In a typical downtown environment forexample, wireless signals from a fairly large number of APs in thevicinity (e.g., in neighbor's LANs, in municipal WiFi, in coffee shopsetc.) can be detected by the station with built-in WiFi radio. It islikely that the signal strength from the neighboring AP is stronger thanthe signal strength from the authorized AP in the organization' LAN(e.g., if the station is near the boundary of the organizationpremises). The station can thus connect to these neighboring externalAPs. This creates security vulnerability.

Man-in-the-Middle Attacks: Certain connection behavior of WiFi stationscan be exploited to lure them away from legitimate connections and intomaking connections with malicious APs. As merely an example, a honeypotAP can lure WiFi stations into connecting to it and then exploit thestation via variety of attacks including Man-in-the-Middle attack.Hacking tools such as KARMA, delegated, Airsnarf are available toexecute honeypot attack. The attacker AP can also use a MAC spoofingprocess to lure stations into connecting to it.

Ad-hoc Connections: The WiFi provides certain mode of communication inwhich stations can form wireless connections among themselves, e.g.,without having to go through an AP. Such connections are undesirable astypically security controls on legitimate wireless communications areexercised by the AP. The ad-hoc connections can bypass these securitycontrols exposing the stations and data therein to exploitation byhackers.

DOS (denial of service) Attacks: Attackers can disrupt operation ofwireless network by transmitting certain wireless signals from vicinityof the wireless network. Moreover, attackers can use techniques such ashigh gain antennas and directional antennas to increase the range and/orpotency of the transmitted attack signals. In certain DOS attacks, theattacker transmits certain specially crafted 802.11 frames (e.g.,spoofed deauthentication frames, spoofed disassociation frames, frameswith large values for NAV (network allocation vector) fields in themetc.) to disrupt the legitimate WiFi communication. The disruption ofwireless network is undesirable, in particular, when the wirelessnetwork supports mission critical applications such as voice, telemetry,patient monitoring etc. Certain details about DOS attacks can be foundin a paper by Bellardo and Savage, entitled “802.11 Denial of ServiceAttacks: Real Vulnerabilities and Practical Solutions”, 12^(th) USENIXSecurity Symposium, August 2003; which is hereby incorporated byreference herein.

The vulnerabilities described herein are for illustrative purposes onlyand do not limit the scope of the present invention. These and othervulnerabilities put the LANs at risk from attackers who use wirelesscommunications as a way to get into the LAN and/or legitimate wirelessdevices associated with the LAN. As merely an example, a retailerorganization's LAN can comprise of computers that store credit cardinformation. Attacks launched using wireless communications can put theretailer at risk of credit card information theft. Moreover, theretailer may be required to comply with data security guidelines of thePCI-DSS and the wireless vulnerabilities may make the retailer's LANnon-compliant with the PCI-DSS.

As another example, a hospital LAN can comprise of computers that storepatient health and insurance data. Attacks launched using wirelessnetworks can put the hospital at risk of theft of private informationabout patients. The wireless vulnerabilities may in addition put thehospital at risk of violating HIPAA and thus attracting legal penalties.

As a further example, a bank's or financial institution's LAN cancomprise of computers that store customers' financial information.Attacks launched using wireless networks can put the bank at risk oftheft of private information of customers, modification of bank records,and can even put the bank at risk of security audit failure and legalpenalties associated with it. Certain organizations are required tocomply with regulatory requirements such as GLB (Gramm Leach Bliley) Actand SOX (Sarbanes Oxley) Act and wireless vulnerabilities can make themnon-compliant with these regulatory requirements.

Thus there is a need for techniques that can address the issuesdescribed above and throughout the present specification arising out ofwireless communications related vulnerabilities.

Conventionally, certain techniques are available for vulnerabilityscanning of LANs. In one technique, vulnerability scanning vendors canscan the LAN from the Internet to detect vulnerabilities in the LAN. Forexample, the organization's LAN is connected to the Internet using agateway and/or a firewall. The gateway and/or the firewall typically hasan IP address (e.g., public IP address) using which it connects to theInternet. For performing the vulnerability scanning, the IP address ofthe gateway is provided to the scanning vendor. The scanning vendormaintains an inventory of vulnerability scanning tools which are thenlaunched targeted to the IP address provided above. That is, thistechnique can scan the public Internet facing interface of the LAN.Examples of the scanning tools in the inventory can include Nessus, GFILANguard, Retina Network Security scanner, SAINT, nmap etc. Subsequentto the vulnerability scanning, a report containing results (e.g., anyopen ports detected, any private device in the LAN detected asaccessible from the Internet, any misconfigurations on the firewalldetected etc.) is provided to the customer (e.g., owner/operator of theLAN of the organization).

In certain another conventional technique for vulnerability scanning ofLANs, the scanning vendors can install certain devices on the LAN. Thesedevices can take form of a network appliance that can be plugged intothe customer's LAN (e.g., using Ethernet connection). The networkappliance can be configured to scan the LAN for operating systemvulnerabilities (e.g., missing security patches), misconfigurations etc.on the PCs and servers connected to the LAN. The vulnerabilitiesdetected can be presented in the form of report. The report may containpointers to URLs on the Internet which provide further details about thedetected vulnerabilities and remedies such as software upgrade.

In yet another conventional technique, radio channels are scanned invicinity of the LAN using certain handheld tools. The handheld tool cantake the form of a software running on a laptop or a PDA equipped withWiFi radio. The software can capture wireless traffic (e.g., 802.11frames transmitted on various radio channels). It can presentinformation about the captured traffic on a display screen, can store itin a file, and/or print it. The displayed information can includevisible wireless devices (APs, clients etc.), their operating channelsand security settings, radio signal strengths received from the wirelessdevices, connections among the wireless devices etc. Certain reports canbe generated based on the information collected and/or displayed. Thistechnique is also called as walk-around survey. For example, LaptopAnalyzer and Handheld Analyzer provided by AirMagnet Inc. of Sunnyvale,Calif. can be used as handheld tools for walk-around surveys.

In another conventional technique, wireless sensor devices are providedspatially dispersed over a geographic region of operation of the LAN.The sensor devices are also coupled to the LAN (e.g., using Ethernetconnections). The wireless sensor devices scan radio channels and gatherinformation about wireless traffic detected on those channels. Thegathered information is communicated to a server device that is alsocoupled to the LAN. The server can store and process the gatheredinformation. A console can be provided for reviewing the results of theprocessing of the gathered information and for the user to interact withthe system. The system of wireless sensors, the server, and the consoleis often called as Wireless Intrusion Detection System (WIDS) or aWireless Intrusion Prevention System (WIPS). This system can detectwireless vulnerabilities, and optionally block wireless communicationassociated with the detected vulnerabilities. Example of WIDS/WIPSinclude SpectraGuard Enterprise provided by AirTight Networks ofMountain View, Calif.

Several limitations exist with the conventional techniques. For example,the vulnerability scanning of the public Internet facing interface ofthe LAN is insufficient to detect wireless vulnerabilities describedabove and throughout the present specification. The walk-around surveywith the handheld scanner fails to monitor wireless vulnerabilities on acontinuous basis. Moreover, with walk-around survey, it is extremelydifficult to correlate information from different sites, storeconsolidated site-wide information at a central location etc. The WIDSor WIPS installed on a customer site and often managed by the customerturns out to be an expensive proposition from capital and operationalexpenses and deployment standpoint. Moreover skilled personnel arerequired to deploy and manage the WIDS/WIPS as well as monitor, analyze,and interpret information provided by the WIDS/WIPS about the LAN'swireless environment. Such personnel are hardly available with manycustomers. These limitations often leave LANs exposed to wirelessvulnerabilities which often go undetected and can result in informationsecurity breaches over a period of time. The present invention providestechniques to overcome these and other limitations and to facilitatewireless vulnerability management for LANs.

The present invention provides a method and a system for wirelessvulnerability management for local area computer networks. In anembodiment, the present invention provides for wireless scanning devices(hereinafter referred as “sniffers”) to be deployed at customerpremises. Advantageously, in one specific embodiment, the sniffers canbe pre-configured for operation in the customer premises so thatdeployment overhead is reduced. The sniffers can scan radio channels andgather information about wireless traffic on those radio channels in avicinity of the LAN. In this embodiment, the sniffers communicateinformation about the detected wireless traffic to the wirelessvulnerability management server (hereinafter referred to as a “securityserver”). The security server can store and process the detectedwireless traffic for vulnerability assessment. It can store results ofthe assessment, e.g., over a period of time. The security server cancommunicate the results to the user via alerts, reports and other typesof output.

An exemplary conventional WIDS/WIPS system configuration 100 forproviding wireless security for local area computer networks isillustrated in FIG. 1A, while an exemplary system configuration 110 forproviding wireless vulnerability management as Software as a Service(SaaS) according to an embodiment of the present invention isillustrated in FIG. 1B. As shown in FIG. 1A, customer entity X has twoLANs 102 and 103 at two geographic locations (e.g., offices in twocities) respectively. The LANs 102 and 103 are coupled to the Internet101 through firewalls 104 and 105, respectively. The LANs 102 and 103are interconnected using a VPN (Virtual Private Network) tunnel 106 overthe Internet. The LANs 102 and 103 and the VPN tunnel 106 thus form aprivate network of the customer X. Also shown are wireless sensors 107Aand 108A deployed within the premises of customer X to monitor wirelessactivity therein. The sensors send information associated with theirmonitored wireless activity to a server 109 of customer X forprocessing, storage etc. That is, the server 109 is connected to theprivate network of customer X. The transfer of information from thesensors to the server is illustrated via dashed lines in FIG. 1A.Similarly customer Y has LAN 110 that is coupled to the Internet throughthe firewall 111. The sensors 112A and 113A of the customer Y sendinformation associated with their monitored wireless activity to theserver 114 for processing, storage etc. That is, the server 114 iscoupled to the private network of the customer Y.

As shown in the SaaS configuration of FIG. 1B, the security server 115is provided in the service provider LAN 116. The security server isoperated and maintained by the service provider. Theoperating/maintaining the security sever can include upgrading thesecurity server (e.g., software on the server) to facilitate newerwireless vulnerability management techniques, performing databasebackups and so on. The service provider LAN 116 is coupled to theInternet 101 through the firewall 117. The sniffers 107B and 108B atcustomer X premises and the sniffers 112B and 113B at customer Ypremises send information about monitored wireless activity to thesecurity server 115 over the Internet. The transfer of information fromthe sniffers to the server is illustrated via dashed lines in FIG. 1B.The security server 115 processes and stores data reported by sniffersat customer premises X separate from that reported by sniffers atcustomer premises Y. For example, X and Y can have separateconfigurations for wireless vulnerability management operation, canrepresent diverse types of organizations (e.g., X can be a retailer andY can be a Hospital, X can be a high school and Y can be a financialinstitution etc.) and thus have diverse security requirements, budgets,could have subscribed to different sets of modules for wirelessvulnerability assessment and so on.

In various embodiments of the present invention, the sniffers 107B,108B, 112B, and 113B etc. can use variety of protocols to sendinformation about monitored wireless activity to the security serverover the Internet. In an embodiment, at least a portion of theinformation can be sent using TCP (Transmission Control Protocol). In analternative embodiment, at least a portion of the information can besent using UDP (User Datagram Protocol). In yet an alternativeembodiment, the information sent over the Internet can be encryptedand/or authenticated. As merely an example, protocols such as IPSec (IPSecurity), HTTPS (Hyper Text Transfer Protocol Secure) etc. can be usedto encrypt the information sent over the Internet. In anotherembodiment, one or more VPN tunnels can be formed over the Internetbetween the LANs of the customers and the service provider LAN. At leasta portion of the information can be sent through the VPN tunnels. In yetanother embodiment, the sniffers positioned at the customer premisessend at least a portion of the information about monitored wirelessactivity to one or more computers in the customer network (e.g.,customer's LAN, customer's private network etc.) and these one or morecomputers can in turn send the information to the security server overthe Internet. These embodiments are exemplary only and various otheralternatives will be apparent to persons with ordinary skill in the artbased upon the present specification.

The present invention advantageously provides for the security server tobe hosted by a service provider entity, which is separate from acustomer entity which owns/operates/uses the LAN, and oftengeographically remote to the customer premises. Advantageously, thepresent invention provides for the expensive security server resourcesto be shared across a plurality of customer entities.

Moreover, the present invention provides a workspace for the customer onthe security server and facilitates the customer to select and/orconfigure the wireless vulnerability management workspace as per needsand budget. In an embodiment, the customer can also optionally availservices from skilled professionals at the service provider entity toconfigure and operate the wireless vulnerability management workspace onthe customer's behalf. By reducing the overhead of deployment, the entrycost, and the expenses and the required skills for operation, thepresent invention provides for affordable wireless vulnerabilitymanagement.

In an embodiment, the present invention provides a method for wirelessvulnerability management. As merely an example, the system illustratedin FIG. 1B can provide an environment within which the method can bepracticed. An exemplary logical flow of steps in the method 200 forwireless vulnerability management for local area computer networksaccording to an embodiment of the present invention is illustrated inFIG. 2 and described in more detail below. This diagram is merely anexample and should not unduly limit the scope of the claims herein. Oneof ordinary skill in the art would recognize many variations,modifications, and alternatives based on the teachings of the presentspecification. In various embodiments, one or more steps can be omitted,one or more steps can be added, one or more steps can be modified, oneor more steps can be split into sub-steps, one or more steps can becombined into lesser number of steps and like.

As shown in FIG. 2, at step 202 the method includes receiving a requestfor wireless vulnerability management from a customer entity. Forexample, the customer entity (e.g., owner/operator/user of a LAN) canrequest wireless vulnerability management for his or her LAN. As merelyan example, the customer can log into a website adapted to receiverequests for wireless vulnerability management from customers.Alternatively, other means of receiving requests such as email, phonecall etc. can be used to receive the request for wireless vulnerabilitymanagement. The request can include information such as customer'scontact details. Moreover the request can include information such astotal area of customer premises for which wireless vulnerabilitymanagement is required, how the total area is distributed (e.g., amongdifferent geographic regions, floors etc.), and other type spatiallayout information. Other types of information such as nature ofbusiness (e.g., retail, hospital, financial etc.) of customer andrequirement for compliance with any security standard (e.g., PCI-DSS,HIPAA etc.) can also be included in the request. The request mayindicate if the customer LAN includes or plans to includes an authorizedwireless network of its own and if so information regarding devicevendors, protocols (e.g., 802.11b/g, 802.11a), authentication andencryption schemes (e.g., WEP, WPA, 802.11i etc.) etc. associated withthe authorized wireless network. In an embodiment, the request can alsoindicate that the customer does not have authorized wireless network ofits own. Additional information such as volume of wireless traffic thatis typically present in a vicinity of the customer premises, anyprevious security breaches the customer has experienced, requirement forabiding with various industry standards (e.g., Plenum rated sniffers,NEMA enclosures for outdoor deployment) etc. can also be included in therequest. In an alternative embodiment, upon receiving request from thecustomer for wireless vulnerability management, a customer serviceassociate can establish contact with the customer for receiving varioustypes of information such as examples given before and like.

Step 204 includes creating a workspace for the customer on the securityserver. Advantageously in this embodiment, the security server can behosted at a datacenter outside of the customer premises, at the serviceprovider premises and like. Moreover, the security server can be sharedacross a plurality of customers. The customer can access the workspaceover the Internet. In an embodiment, a customer account, e.g., havingassociated with it a username and a password, is associated with theworkspace. Moreover, associated with the customer account can beidentification of personnel and/or computer entities at the customerpremises that are allowed to access the account and associatedprivileges. Examples of privileges can include among others privilege toview one or more screens (e.g., screens comprising information aboutvisible devices, events, alarms, reports, configuration details etc.that pertain to the customer account), privilege to modify one or moreoperational configuration parameters, privilege to select/deselect oneor more modules associated with wireless vulnerability management,privilege to initiate one or more remediation processes etc. Privilegecan also depend upon the location where the wireless activity isdetected. For example, certain operator may be allowed to view one ormore screens associated with wireless activity information pertaining toone location that is under the purview of the operator, but notpertaining to another location which is not under the purview of theoperator.

Step 206 can then prepare/configure the sniffers for the customeraccount and ship them to the customer entity via US postal services orcourier services such as Fedex. In an embodiment, the sniffers areconfigured so that when they are deployed on the customer premises (asin step 208), they are able to discover (e.g., automatically) thesecurity server and connect to it over the Internet. In an embodiment, aURL (Uniform Resource Locator) of the security server is configured inthe sniffers. When the sniffers are connected to the LAN at the customerpremises, they seek connection to the security server identified by theURL.

Alternatively or in addition, in this embodiment, the sniffers areconfigured so that when the customer deploys them on the premises (step208) and when they connect to the security server from the customerpremises (e.g., over the Internet) they appear within the customer'sworkspace created in step 204. In an embodiment, sniffer identities areassociated with the customer account prior to shipping the sniffers tothe customer. This enables associating the sniffers to the correctcustomer workspace when they connect to the security server from thecustomer premises. In an alternative embodiment, distinct authenticationcredentials (e.g., certificate, password etc.) are generated for sniffergroups belonging to distinct customer entities. The sniffers arerequired to present these authentication credentials for connecting toand/or interacting with the security server over the Internet. The useof the right credentials facilitate associating the sniffers to theircorrect customer workspaces in this embodiment.

In an alternative embodiment, step 206 can instead or in additioninclude making sniffer software available to the customer for download.The sniffer software is adapted to execute on one or more computersincluding radio communication facility at customer premises (e.g.,laptops using Microsoft Windows family of operating system and IntelCentrino WiFI radio, PCs using Linux operating system and PCMCIA radiocard, handheld devices such as PDAs, iPhone with built in or attachableWiFi radio card etc.). The software can include configurationinformation such as URL so that it can communicate with the securityserver after it is installed and run at the customer premises.Alternatively, it can prompt the user to input the security serveridentity information such as URL, IP address and like.

At step 208 in the method 200, the sniffers are deployed at the customerpremises. In an embodiment, sniffers are spatially distributed over thecustomer premises to monitor wireless communications. The sniffers arealso connected to the LAN using their wired or wireless networkinterfaces. The sniffers can access the Internet and communicate to thesecurity server over the Internet. Preferably, the firewall thatmonitors traffic flowing across the LAN-Internet boundary should beconfigured to permit communication between the sniffers and the securityserver. As described in step 206, in an embodiment, when the sniffersconnect to the security server, they are shown as active within thecustomer workspace on the security server.

At step 210, the customer can log into the customer workspace andprovide information associated with his authorized wireless network. Forexample, the customer can log into the security server from a computerover the Internet. As merely an example, the customer can use a webbrowser such as Internet Explorer (provided by Microsoft Corporation ofRedmond, Wash.), Netscape, Firefox provided by Mozilla Corporation ofMountain View, Calif. etc. to access the security server. The securityserver can be identified via a URL, an IP address etc. The securityserver may prompt the user for username and password. After successfullogin, the security server may send information across the Internetwhich is adapted to display certain screens in the web browser orvarious other types of user interfaces. These screens can be used by thecustomer to provide the authorized wireless network information.

The information associated with the authorized wireless network providedby the customer can advantageously facilitate detecting authorized andunauthorized wireless activity. It can also help detect certain wirelessvulnerabilities. As merely an example, certain network name called asSSID (Service Set Identifier) is used to identify a WiFi wirelessnetwork. In an embodiment, the information associated with theauthorized wireless network can include a list of SSIDs that are used inthe authorized wireless network. In this embodiment, when the snifferdetects an AP that is using SSID outside this list, it can identify theAP to be unauthorized AP. Depending upon the embodiment, the informationabout the authorized wireless network can include identities ofauthorized access points (e.g., their wireless MAC addresses), securitycontrols to be used for authorized wireless communication (e.g., WEP,WPA2, IEEE 802.11i, IEEE 802.11w etc.), identities of authorizedwireless stations, identities of network segments (e.g., subnetworks,VLANs etc.) to which the APs are connected for traffic forwardingbetween wired and wireless media and like.

Exemplary computer screenshots 300 and 320 that can facilitate thecustomer to input information associated with authorized wirelessnetwork are illustrated in FIGS. 3A and 3B, respectively. These diagramsare merely examples and should not unduly limit the scope of the claimsherein. The information inputted by the customer can be received by thesecurity server over the Internet (e.g., using protocols such as TCP,HTTP, HTTPS and like). As shown in FIG. 3A, the screen 300 can providefor selecting whether or not authorized WiFi network is present at aparticular location in customer premises (301 and 302). If theauthorized WiFi is present, the screen can provide for inputting SSID ofthe authorized WiFi network (303). One or more SSIDs can be inputted. Inthis embodiment, the screen 320 provides for inputting informationassociated with settings of APs associated with the authorized SSID,such as for example whether the SSID is for guest connectivity (304)which can then be treated differently from other SSIDs which are forauthorized access for users within the organization, wireless securitysettings protocol (305), wireless authentication framework (306),wireless encryption protocol (307), 802.11 physical layer protocol(308), additional AP capabilities (309), authentication types (310), thenetworks to which the AP is allowed to connect wireless traffic to(311), vendor information (312) etc.

In an embodiment, step 210 can also include receiving informationassociated with certain operational configuration parameters. As merelyan example, the operational configuration parameters can includeconfiguration of certain actions to be performed responsive to certainunauthorized wireless activity (referred herein as “intrusionprevention”). An exemplary computer screenshot 400 that can facilitateinputting the intrusion prevention configuration is illustrated in FIG.4A. This diagram is merely an example and should not unduly limit thescope of the invention. Persons of ordinary skill in the art canidentify various modifications and alternative based on the presentdisclosure. The information inputted using the screen 400 can bereceived by the security server. As shown, the screen 400 can providefor selecting prevention (e.g., automatic prevention subsequent todetection) of various categories of wireless vulnerabilities (as shownby selections 401 to 407). In an embodiment, the screen also indicatesthe limit on the categories that can be selected (408). For example,this limit can be based upon the level of vulnerability managementservice (for example, subscription package) that the customer hassubscribed to and agreed to pay for. The screen also provides forupgrading the service level to be able to select more categories (409).

In an alternative embodiment, the configuration information can includeinformation associated with notification preferences, for example,manner of receiving notifications upon detection of a selectedvulnerability. An exemplary computer screenshot 420 for inputtinginformation associated with notification preferences is illustrated inFIG. 4B. This diagram is merely an example and should not unduly limitthe scope of the invention. Persons of ordinary skill in the art canidentify various modifications and alternative based on the presentdisclosure. As shown in FIG. 4B, the screen 420 can show a listing ofvulnerabilities. For one or more of the listed vulnerabilities, aselection can be inputted/modified as to whether the notification is tobe displayed (422), e.g., when the customer logs into the workspace andchooses to view the notifications, to be emailed (424), documented inreport (426) etc. Severity level can also be assigned (or modified fromdefault value) for the listed vulnerability (428). As shown at 432, thescreen can provide information associated with cost of notification. Inan embodiment, customer can be charged based upon the number ofsubscribed notifications (430). In an alternative embodiment, thecustomer can be charged based upon the number of notifiedvulnerabilities. In an embodiment, the cost of notification can alsodepend upon the severity level selected, the nature of vulnerability andso on.

In yet an alternative embodiment, the configuration information caninclude information associated with reports to be generated based uponthe processing of the wireless activity information. Some exemplarycomputer screenshots 440 and 460 for inputting information associatedwith reports to be generated upon processing the wireless activityinformation are illustrated in FIGS. 4C and 4D, respectively. Thesediagrams are merely examples and should not unduly limit the scope ofthe claims herein. Persons of ordinary skill in the art would identifyvarious modifications and alternative based on the present disclosure.As shown in FIG. 4C, the screen 440 can facilitate report configuration.For example, name of report (442), description of report (444) etc. canbe configured (inputted). A delivery schedule (446) can also beconfigured (created) (448). Moreover, new reports can be configured(454A), existing reports can be reconfigured (454B), existing reportscan be deleted (454C) etc. In this embodiment, one or more sections tobe contained in the report (450) can also be configured using thevarious options such as adding (452A), editing (452B), and deleting(452C) sections. As shown in FIG. 4D, the nature of information to befilled into various sections can also be configured. As shown in screen460, the logic (464) for filling information into a selected section(462) can be configured.

In yet a further alternative embodiment, the configuration informationcan include information associated with physical locations, e.g.,hierarchy of physical locations at customer premises. The informationcan also include information about association between sniffers and thephysical locations, for example, identifying for each sniffer a physicallocation where it is placed. This facilitates organization andprocessing of wireless activity information with regard to locationwhere it is detected. An exemplary computer screenshot 480 forinformation associated with physical location hierarchy is illustratedin FIG. 4E. This diagram is merely an example and should not undulylimit the scope of the invention. Persons of ordinary skill in the artcan identify various modifications and alternative based on the presentdisclosure. As shown in FIG. 4E, the screen 480 can indicate locationhierarchy 482. In an embodiment, the customer entity can create thelocation hierarchy by inputting appropriate configuration informationrelated to how the customer premises are laid out. In an embodiment, thesniffer identities can be associated with locations. As shown in thescreen 480, the identities of sniffers (MAC addresses 484, IP addresses486 etc.) associated with a selected location can be displayed.Preferably, the sniffers are positioned in customer premises at theassociated locations. In an embodiment, the customer can associatesniffer identities to specific locations based upon how the sniffers arepositioned in the customer premises. The uptime of sniffers can also beindicated (488). In an embodiment, the uptime information can be used tocharge for sniffer usage (e.g., meter the sniffer usage for wirelessactivity monitoring). In various embodiments, certain otherconfiguration and module selection information can also be specific toselected locations.

While certain exemplary configuration parameters have been describedwithin the specific embodiments, they are not limiting and there aremany others which persons of ordinary skill in the art can contemplatebased on the present teachings.

At step 212, the customer can select from a plurality of modules forwireless vulnerability management. By way of examples, the plurality ofmodules include:

Scanning Module: In an embodiment, when the scanning module is selected(e.g., activated) the sniffers scan radio channels and report certaininformation about observed wireless activity to the security server. Thesecurity server can then display this information (e.g., when thecustomer logs into the security server over the Internet using a webbrowser or other means and chooses to review the information), send areport on the collected information (e.g., as a file download, viaemail) etc. An exemplary screenshot 500 for display of the wirelessactivity information gathered from the scanning is illustrated in FIG.5. This diagram is merely an example and should not unduly limit thescope of the claims. Persons of ordinary skill in the art wouldrecognize many alternatives and modifications based upon the presentdisclosure. As shown in FIG. 5, the screen 500 can provide for selectingwhether the customer wants to view APs, clients, or connections (e.g.,wireless connections among APs and clients) associated with the wirelessactivity (502). The location that is relevant for the wireless activitybeing displayed can also be indicated in the screen 500 (504). Thescreenshot 500 in FIG. 5 shows selection being made to view APinformation. The identities of APs can then be displayed (506) alongwith various other detected information such as whether the AP iscurrently active (507), security settings on the AP (508), SSID (509),channel of operation (510), protocol (511), time since AP is up (512)and like. The screenshot 500 is exemplary only and should not limit thescope of the claims.

Various alternatives and modifications for displaying wireless activityinformation are possible and will be apparent to persons with ordinaryskill in the art from the present disclosure. For example, in anembodiment, the display of wireless activity information can includesignal strength information associated with the wireless activity. In analternative embodiment, the display can include listing of packets(e.g., 802.11 MAC frames) detected by sniffers on the radio channels.Various constituent fields/parameters associated with one or more of thelisted packets can also be displayed in an embodiment. In otheralternative embodiments, the wireless activity information can includevarious statistics about packet transmissions, retransmissions, packeterrors, transmission speeds, traffic on various radio channels,data/management/control traffic mix, unicast/broadcast traffic mix,voice/data traffic mix, channel noise, channel interference, devicemobility patterns, traffic from/to various devices and so on.

Threat Assessment Module: In an embodiment, selecting the threatassessment module facilitates performing a variety of analyses on thewireless activity information collected by the sniffers. The results ofthese analyses can be provided to the customer (e.g., displayed,reported via email etc.). Threat assessment module can analyze thewireless activity information to detect variety of security threats.These include among others: unmanaged APs connected to the LAN, MACspoofing, DOS attacks, WEP cracking, undesirable wireless connections,misconfigurations of authorized wireless network etc. Depending uponembodiments, one or more of these and other vulnerabilities/threats canbe analyzed/detected. In an embodiment, a list ofvulnerabilities/threats that can be analyzed/detected is presented tothe customer and the customer can select (e.g., subscribe to) a subsetor all of them.

Remediation Module: In an embodiment, when the remediation module isselected, it can take certain actions against the vulnerability/securitybreach detected. As merely an example, the remediation action caninclude blocking/disrupting communication over undesirable wirelessconnections. For example, suppose an unauthorized AP is detected to beconnected to the LAN, the security server can take action to disablewireless communication associated with the unauthorized AP to preventsecurity breaches using such communication. In an embodiment, thesecurity server can instruct the sniffer (e.g., one in a vicinity of theunauthorized AP) to disrupt any wireless communication associated withthe unauthorized AP via a “deauthentication” procedure. In certaindeauthentication procedure, the sniffer can send spoofeddeauthentication messages to the AP and/or one or more clients connectedto the AP instructing to disconnect the wireless link. Other types ofremediation processes are possible.

In an embodiment, the prevention process is automatically initiated upondetection of security vulnerability. Alternatively, the preventionprocess for the detected vulnerability can be manually initiated whenrequested by the operator who attends to the detected vulnerability. Theselection with regards to automatic or manual initiation of preventionprocesses for the one or more detected vulnerabilities can be providedas operation configuration parameters (e.g., as in step 210).

Location Tracking Module: In an embodiment, selecting the locationtracking module facilitates determining (e.g., estimating) physicallocation of a source of threat posing wireless activity. This module canbe useful for deployments which are spread over large geographic areas(e.g., millions of square feet). In an embodiment, location tracking isperformed by triangulating the location of source of wireless activitybased upon the receive signal strength measurements performed by thesniffers in a vicinity of the source. Depending upon embodiments,various types of location tracking can be provided such as coarselocation tracking (e.g., site level, building level etc.), granularlocation tracking (e.g., cube level, room level etc.), on demandlocation tracking (e.g., when customer requests the location to betracked), continuation location tracking (e.g., to trace the path ofwireless device over a period of time and at certain intervals duringthat period) etc.

Reporting Module: In an embodiment, information related to the detectedvulnerabilities/threats can be reported to the customer using reportingmeans such as email, SMS etc. Alternatively, the information can bereported using formats such as SNMP traps. In an embodiment, thedetected vulnerabilities/threats are documented in a report and thereport is made available to the customer at predetermined intervals(e.g., intervals selected by the customer) via means such as email, filedownload and like. In an embodiment, the reports can be pre-configured(e.g., PCI-DSS compliance assessment report, HIPAA compliance assessmentreport etc.). Alternatively or in addition, the customer can customizehis own reports to document information required by customer's policy.

RF Visualization Module: The RF visualization module facilitatesdetermining and providing visual displays of radio coverage of wirelessnetwork components (APs, sniffers etc.) based upon their placementinformation and information associated with spatial layout of thepremises where they are/are to be positioned. Moreover, informationabout factors such as transmit power, receive sensitivity, antennacharacteristics etc. can also be used in determining radio coverage.Determining and visualizing radio coverage can provide for variouswhat-if analyses. As merely an example, visualizing the radio coverageof the sniffers can further facilitate determining threat detectioncoverage, remediation coverage, location tracking coverage and like. Forexample, for the sniffer to be able to detect certain wireless activity,it is necessary that the sniffer receives the wireless activity withcertain minimum signal strength or with certain minimum packet errorprobability. As another example, for the sniffer to be able to remediate(e.g., prevent) undesirable wireless activity associated with a targetdevice, it is necessary that the radio signals transmitted by thesniffer reach the target device with certain different minimum signalstrength. As yet another example, to be able to perform locationtracking for a device within a selected region via triangulation, it maybe necessary that the signal transmissions from the selected region aredetected by at least a certain minimum number (e.g., 3) of sniffers. Asyet a further example, redundant coverage of more than one sniffers maybe required for a selected region for fault tolerance. Depending uponthe embodiments, one or more of these objectives are desirable. The RFvisualization module can facilitate determining the sniffer placement toachieve the desirable objectives.

A logical flow of steps in a method 1300 for using RF visualizationmodule according to an embodiment of the present invention isillustrated in FIG. 13A. This diagram is merely an example which shouldnot limit the scope of the claims herein. One of ordinary skill in theart can contemplate many alternatives, variations and modifications tothe method based upon the teachings of the present specification.

As shown in FIG. 13A, step 1302 can receive information associated withspatial layout of the customer premises where sniffers are or will bedeployed. This information is used to generate a computer model of thepremises. The computer model can include information associated with thelayout components (e.g., physical dimensions, material type, locationetc.) of the premises. The layout components can include, but notlimited to, rooms, walls, partitions, doors, windows, corridors,furniture, elevator shaft, patio, floor, parking lot and foliage. In aspecific embodiment, the information associated with the spatial layoutcan be received in the form of a layout drawing file prepared by CAD(computer aided design) software such as for example AutoCAD provided byAutodesk, Inc. of San Rafael, Calif. In an alternative embodiment, animage file of the layout of the premises is imported as a *.gif, *.jpgor any other format file to generate the computer model. In a specificembodiment, the image file depicts (encodes) a floor plan or a map ofthe premises. In an alternative specific embodiment, the image file canbe a photograph or a scanning of the architectural drawing of the floorplan. In an embodiment, the image file can be annotated with detailssuch as physical dimensions and material types of layout components.

Step 1304 of the method 1300 can facilitate positioning sniffer icons inthe spatial layout of the premises. For example, the spatial layout mapcan be displayed on the computer screen and sniffer icons can bepositioned on the displayed layout map. At step 1306, the method canpredict the radio coverage of the sniffers and determine coverage fordetection, remediation, location tracking, redundancy etc. based uponthe computer model of the premises, the information associated with thesniffer placement and one or more radio signal propagation models. Step1308 can display the predicated coverage areas in relation to the layoutof the premises as exemplified by a computer screenshot 1310 of FIG.13B. This diagram is merely an example which should not unduly limit thescope of the claims herein. One of ordinary skill in the can contemplatevarious alternatives and modifications based upon the teachings of thepresent specification.

Referring to FIG. 13B, a sniffer icon is shown at location 1322. Alayout is seen to comprise of exterior walls 1334, interior walls 1336,columns 1338, entrance 1340 etc. The detection region of coverage 1326and the prevention region of coverage 1324 are shown simultaneously inrelation to the display of the layout. In the present example, thedetection region is seen to be larger than the prevention region. In apreferred embodiment, the regions 1324 and 1326 are shown by differentcolors, the legend 1328 for colors being provided. In an alternativeembodiment, the regions 1324 and 1326 can be shown in separate views,each in relation to the display of the layout. In other alternativeembodiments, the regions can be shown via different fill patterns,contours, gradations of one or more colors and like. The “PreventionReliability” index 1332 is used to select the degree of disruption to beinflicted on the intruder device by the prevention process. In onespecific embodiment, the degree of disruption corresponds to the packetloss rate to be inflicted on the intruder device. In this embodiment, anindication of statistical confidence in the coverage prediction is alsoindicated via the “Confidence Level” indicator 1330. In a furtheralternative embodiment, the coverage regions of a plurality of sniffersare shown in relation to the layout of the premises, e.g., viasuperposition of their coverage regions. Depending upon embodiments, thecustomer can be allowed to view, print, and/or electronically save thecoverage views. Different fees can be charged for the various options.In various embodiments, fees can be charged for the use of RF modulebased upon the size of premises for which coverage prediction is to beperformed (e.g., 10,000 square feet, number of floors etc.), number ofsniffers, and types of coverage regions to be predicted (e.g.,detection, prevention, location, redundancy etc.).

Certain additional details of RF visualization for sniffers can be foundin commonly assigned patent application publication No. 20060058062,entitled “Method for wireless network security exposure visualizationand scenario analysis”, published on Mar. 16, 2006, which is herebyincorporated by reference herein. In an embodiment, one or more reportscan be generated based upon the predicted coverage of APs and/orsniffers. The reports can indicate information such as percentage ofareas covered by various signal strengths/link speeds,co-channel/adjacent channel interference etc. In an alternativeembodiment, the customer is provided with a measurement tool (e.g.,software running on a wireless enabled laptop, PDA etc.) using whichsignal strength measurements and other measurements can be taken oncustomer site. These measurements can be reported (e.g., uploaded) tothe customer workspace on the security server. The security server canuse the measurements by themselves or along with predictions to providevarious RF visualization displays and reports. As merely an example, themeasurements can be used to adjust the prediction parameters forimproved accuracy.

In an embodiment, the service provider entity can provide services ofprofessionals skilled in wireless vulnerability management. Theseprofessionals can assist the customer in selecting appropriatemodules/submodules, in configuring various parameters and like. Theprofessionals can also assist in acting on vulnerabilities and securitybreaches detected. In some embodiments, a service level agreement (SLA)can be executed between the service provider and the customer forprofessional services offering. Examples of SLAs can include analysisand notification of threats within a specified time limit, periodicreporting, periodic system configuration review, consultation for threatremediation and like.

The method 200 at step 214 includes metering usage of the workspace forwireless vulnerability management for the customer entity. Variousembodiments of the present invention include various models for chargingthe customer entity for vulnerability management service, based upon themetered usage of the workspace. In an embodiment, the service providerentity can track usage parameters of the sniffers for wirelessvulnerability management for a customer entity. Examples of the usageparameters of the sniffers include among others the number of sniffers,the duration for which each of the sniffers is active (e.g., connectedto the security server and sending wireless activity information fromcustomer site), the amount of wireless activity information receivedfrom the sniffers, number of channels scanned etc. The customer can becharged (e.g., periodically) subscription charges based upon the meteredsniffer usage.

In alternative embodiment, the metering the usage of the workspace caninclude tracking number of vulnerabilities detected. Moreover, it caninclude tracking types and severities of the vulnerabilities detected.It can also include keeping track of actions taken in response todetected vulnerabilities, e.g., email sent, recorded in report,remediation triggered etc. The customer can be charged based upon thesemetered usage parameters. In an embodiment, the number ofvulnerabilities detected during the selected period can comprise realvulnerabilities and false alarms. In this embodiment, credit can begiven to the customer entity for at least a subset of the false alarms.

In yet an alternative embodiment, the metering can include tracking theselection of modules and/or submodules as in step 212 and/or trackingusage parameters associated with the modules/submodules and charging thecustomer based upon these parameters. In yet a further alternativeembodiment, metering can be based upon parameters such as number ofreports subscribed to, generation of reports, notification of reports,contents of reports etc. The charging can include pre-charging,deducting from deposit accounts, periodic billing, extending credit etc.In an embodiment, customer entity can be charged flat rate for wirelessvulnerability management service for a selected period. In variousembodiments, the flat rate can depend upon the modules/submodulessubscribed to, notification preferences, usage of sniffers, reports andlike. The various metering embodiments described herein are exemplaryonly and there are many others including modifications and combinationsof those described herein which will be apparent to persons of ordinaryskill in the art based upon the present disclosure.

While several exemplary modules have been described (for example, atstep 212 of the method 200), there are others which will be apparent toone of ordinary skill in the art based on the teachings of the presentspecification. In an embodiment according to the present invention, thecustomer can select one or more of the modules. The customer can pay forthe wireless vulnerability management based upon the modules selectedand/or duration for which they are used. In an embodiment, the customercan select certain modules when threat perception is high and deselectthem when it is relatively lower. For example, the retailer can selectto use and pay for the remediation module during the Christmas seasonwhen the threat perception is higher due to peak shopping season andturn it off during other low shopping activity seasons. As anotherexample, the financial organization can increase the level of wirelesssecurity in response to the reports of spreading Internet worm. Themodularization of wireless vulnerability management advantageouslyprovides for efficient, affordable and flexible wireless vulnerabilitymanagement. Moreover, the modules can comprise submodules. Thesubmodules can also be selected (e.g., activated) and deselected (e.g.,deactivated) in an embodiment. The metering can also be based upon theselected submodules.

In various embodiments of the present invention, the sniffer can monitorwireless activity in its vicinity. Wireless activity can include anytransmission of control, management, or data packets between an AP andone or more wireless clients, or among one or more wireless clients. Ingeneral, the sniffer can listen to a radio channel and capturetransmissions on that channel. In an embodiment, the sniffer can cyclethrough multiple radio channels on which wireless communication couldtake place. On each radio channel, the sniffer can wait and listen forany ongoing transmission. In an alternative embodiment, sniffer canoperate on multiple radio channels simultaneously.

Whenever a transmission is detected, sniffer can collect and record therelevant information about that transmission. This information caninclude all or a subset of information from various fields in a capturedpacket. In an embodiment, a receive signal strength indicator (RSSI)associated with the captured packet can also be recorded. Otherinformation such as the day and the time the transmission was detectedcan also be recorded.

The sniffer can perform processing on the information it gathers aboutwireless transmissions. For example, the sniffer can filter/summarizethe information for sending it to the security server. The sniffer canperform certain threat assessment processing on the gatheredinformation. Moreover, the sniffer can send information about results ofthe threat assessment processing to the security server.

Depending upon the embodiment, the sniffer can transmit packets over thewireless medium. These packet transmissions can facilitateblocking/disrupting wireless communication over undesirable wirelessconnections according to an aspect of the present invention. The packettransmissions can also facilitate certain threat assessment procedures.

An exemplary hardware diagram of the sniffer 600 is shown in FIG. 6.This diagram is merely an example, which should not unduly limit thescope of the claims herein. One of ordinary skill in the art wouldrecognize many variations, alternatives, and modifications. As shown,sniffer can have a central processing unit (CPU) 601, a flash memory 602where the software code for sniffer functionality can reside, and a RAM603 which can serve as volatile memory during program execution. Thesniffer can have one or more 802.11 wireless network interface cards(NICs) 604 which perform radio and wireless MAC layer functionality andone or more of dual-band (i.e., for transmission detection in both the2.4 GHz and 5 GHz radio frequency spectrums) antennas 605 coupled to thewireless NICs. Each of the wireless NICs 604 can operate in 802.11a,802.11b, 802.11g, 802.11b/g or 802.11a/b/g mode. In an embodiment,alternatively or in addition, at least one of the NICs can operate in802.11n mode. Moreover, the sniffer can have an Ethernet NIC 606 whichperforms Ethernet physical and MAC layer functions, an Ethernet jack 607such as RJ-45 socket coupled to the Ethernet NIC for connecting thesniffer device to wired LAN with optional power over Ethernet or POE,and a serial port 608 which can be used to flash/configure/troubleshootthe sniffer device. A power input 609 is also provided. One or morelight emitting diodes (LEDs) 610 can be provided on the sniffer deviceto convey visual indications (such as device working properly, errorcondition, undesirable wireless activity alert, and so on).

In an embodiment, the sniffer can be built using a hardware platformsimilar to that used to build an AP, although having differentfunctionality and software. In an alternative embodiment, both thesniffer and the AP functionality can be provided in the same hardwareplatform.

In yet an alternative embodiment, the sniffer functionality is providedvia a software that can be executed using general purpose computers suchas for example laptops or desktops using microprosessor supplied byIntel Corporation of Santa Clara, Calif., an operating system suppliedby Microsoft Corporation of Redmond, Wash. (e.g., Windows XP, WindowsVista etc.), and having either a built in (e.g., Centrino technology) orexternal (e.g., PCMCIA based) radio cards. Alternatively, the softwarecan be executed on a wireless communications capable handheld devicessuch as iPhone (e.g., provided by Apple Computers of Cupertino, Calif.),PDAs, mobile phones etc. In this embodiment, the customer can downloadthe software from the security server. The customer can specify thecomputer platform for which the software is desired. The software canhave a license associated with it such as for example license to use thesoftware. The license can indicate as to on how many computers thecustomer is allowed to install the software.

The security server according to an embodiment of the present inventioncan include a network appliance such as one provided by IntelCorporation of Santa Clara, Calif. or any other suitable computingplatform. As merely an example, the computing platform can runenterprise grade server operating systems such as Windows Server 2003provided by Microsoft Corporation of Redmond, Wash., Red Hat EnterpriseLinux provided by Red Hat, Inc. of Raleigh, N.C. etc. A schematicdiagram of the security sever system 700 according to an embodiment ofthe present invention is illustrated in FIG. 7. This diagram is merelyan example, which should not unduly limit the scope of the claims. Oneof ordinary skill in the art would recognize many variations,alternatives, and modifications. As shown in FIG. 7, the security servercan comprise a processing unit (CPU) 702, a hard disk 704, a memorydevice 706 which can comprise a read only memory (RAM), a display device708, an input device 710 which can include a keyboard, a mouse etc., anda network communication interface 712 such as Ethernet interface,optical interface etc. In an embodiment the security server can compriseof a plurality of interconnected computers. The plurality of computerscan use techniques such as clustering, parallel processing etc. toincrease the processing and/or storage capacity of the security server.

One or more sniffers (e.g., such as the sniffer illustrated in FIG. 6)and one or more security servers (e.g., such as the security serverillustrated in FIG. 7) can be used to implement the method for wirelessvulnerability management (e.g., method 200 illustrated in FIG. 2). Forexample, the sniffers can monitor wireless transmissions within theirvicinity. They report information associated with the monitored wirelesstransmissions to the security server over the Internet. The sniffersand/or the security server can perform processing on the informationassociated with the monitored wireless transmissions for threatassessment, location tracking and like. The sniffers can transmitwireless signals for certain remediation, threat assessment etc. Thesecurity server can store the information associated with the monitoredwireless transmissions for reporting, forensics etc. Several moreexemplary embodiments for wireless vulnerability management according tothe present invention are described below.

An exemplary logical flow of steps in certain wireless intrusiondetection and prevention method 800 (e.g., for detecting unauthorizedwireless access) according to an embodiment of the present invention isshown in FIG. 8. This diagram is merely an example, which should notunduly limit the scope of the invention. One of ordinary skill in theart would recognize other variations, modifications, and alternativesbased on the teachings of the present specification.

As shown, the first step 801 includes maintaining a list of active APscalled the Active_AP_List. An active AP can be the AP that was recentlyinvolved in the wireless transmission as the sender or the receiver. Anactive AP can be detected by analyzing the wireless transmission on theradio channel captured by the sniffer. For example, every AP in the WiFinetwork periodically transmits a beacon packet for the client wirelessstations to be able to connect to it. The beacon packet containsinformation such as clock synchronization data, AP's wireless MACaddress (Basic Service Set Identifier (BSSID)), supported data rates,service set identifiers (SSIDs), parameters for the contention andcontention-free access to the wireless medium, capabilities as regardsQoS, security policy etc. In an embodiment, detection of beacon packettransmission from an AP is used to identify said AP to be an active AP.Beacon packet can be recognized from the type and subtype fields in the802.11 MAC header of the beacon packet. In alternative embodiments,active AP can also be detected when any other wireless transmission(data, control or management packet) directed to or generating from itis observed by the sniffer. In yet a further alternative embodiment,identify of the active AP is received from other network systems.Whenever an active AP is detected (i.e., wirelessly active AP), it isadded to the Active_AP_List. If the Active_AP_List already containsentry for said AP, the corresponding entry is refreshed. Associated witheach entry in the Active_AP_List are a short timeout and a long timeoutvalues. After a short timeout, the corresponding entry is marked“inactive” and after a long timeout it is marked “historic”. Anexemplary logical state diagram 900 for maintaining the Active_AP_Listis shown in FIG. 9. This diagram is merely an example, which should notunduly limit the scope of the claims herein. One of ordinary skill inthe art would recognize other variations, modifications, andalternatives.

The second step 802 in the method 800 is to classify the APs inActive_AP_List into: a) Authorized APs, b) Unauthorized APs, and c)External APs. In this embodiment, the Authorized APs are the APs whichare allowed to be connected to the LAN by the network administrator. TheUnauthorized APs are the APs that are not allowed to be connected to theLAN, but are still connected to the LAN. The Unauthorized APs pose asecurity threat as they can provide a way for intruders to wirelesslyaccess the LAN resources. The External APs are the APs whose presencecan be detected by the sniffers but they are not connected to the LAN.For example, these can be neighbor's APs whose radio coverage spillsinto the region of operation of the LAN. The External APs may not pose asecurity threat as they do not provide a way for intruders to access theLAN.

The third step 803 can generate an indication of unauthorized wirelessaccess (e.g., intrusion alert) if an Unauthorized AP is identified instep 802. Once the intrusion alert is generated, the method sends anindication of the Unauthorized AP and/or intruding wireless station to aprevention process. Further details of the prevention process can befound throughout the present specification and more particularly below.

At step 804 certain action can be performed to disable or disrupt anycommunication between the Unauthorized AP and the intruding wirelessstation. One embodiment of this step works by preventing or breaking the“association” between the Unauthorized AP and the intruding wirelessstation. Association is certain procedure according to the IEEE 802.11MAC protocol wherein the wireless station and the AP establish awireless connection between them. Techniques for preventing or breakingthe association between the Unauthorized AP and the intruding wirelessclient include among others sending one or more spoofed“deauthentication” packets from one or more sniffers with theUnauthorized AP's wireless MAC address as source address with a reasoncode “Authentication Expired” to the intruding wireless station's MACaddress or to a broadcast address, sending one or more spoofeddeuthentication packets from one or more sniffers to the Unauthorized APwith the intruding wireless station's wireless MAC address as sourceaddress with reason code “Auth Leave”, sending one or more spoofed“disassociation” packets from one or more sniffers with the UnauthorizedAP's wireless MAC address as source address to the intruding wirelessstation's MAC address or to a broadcast address, and sending one or morespoofed disassociation packets from one or more sniffers to theUnauthorized AP with the wireless client's wireless MAC address assource address.

Certain additional details about the prevention process can be found inthe following patent applications/patent application publications, whichare commonly assigned, and each of which is hereby incorporated byreference herein: U.S. Patent Application Publication No. 20060165073,entitled “Method and a system for regulating, disrupting and preventingaccess to the wireless medium”, published on Jul. 27, 2006; U.S. patentapplication Ser. No. 11/026,473, entitled “Method and system forscheduling of sensor functions for monitoring of wireless communicationactivity”, filed on Dec. 29, 2004; and U.S. patent application Ser. No.11/330,948, entitled “Method and system for disrupting undesirablewireless communication of devices in computer networks”, filed on Jan.11, 2006.

In the preferred embodiment of the method of invention, step 802 candistinguish the APs that are connected to the LAN from those that arenot connected to the LAN. This advantageously facilitates distinguishingbetween the Unauthorized APs and the External APs. The distinguishingbetween the Unauthorized APs and the External APs according to thepresent invention offers several benefits and/or advantages. Forexample, the distinguishing between the Unauthorized APs and theExternal APs can facilitate initiating intrusion prevention of step 804in an automated fashion as the distinguishing as above can provide foravoiding disrupting neighbor's wireless network via intrusionprevention. As another example, the distinguishing between theUnauthorized APs and the External APs can provide for avoiding falsealarms on intrusion. In a typical office environment, the sniffer cantypically detect wireless communication associated with several APsother than the Authorized APs. Among these several APs other than theAuthorized APs, some APs can be the External APs (e.g., APs inneighbor's wireless network, municipal WiFi APs etc.) and the others canbe the Unauthorized APs (e.g., AP connected by unassuming or maliciousemployee to the LAN for providing unauthorized access to the LAN). Withthe ability to distinguish between the External APs and the UnauthorizedAPs, the security system can avoid raising intrusion alarms for ExternalAPs. This takes nuisance factor out of system operation as well as savesresources that would otherwise be wasted in chasing false intrusionalarms. Various embodiments to distinguish the APs that are connected tothe LAN from those that are not connected to the LAN can employcorrelation analysis between traffic detected over wired portion of theLAN and traffic detected over wireless medium.

Certain additional details about classifying the active APs can be foundin the following patent applications/patent applicationpublications/patents, commonly assigned, and each of which is herebyincorporated by reference herein: U.S. Patent Application PublicationNo. 20050195753, entitled “Method and system for detecting wirelessaccess devices operably coupled to computer local area networks andrelated methods”, published on Sep. 8, 2005; U.S. patent applicationSer. No. 10/931,926, entitled “Automated method and system formonitoring local area computer networks for unauthorized wirelessaccess”, filed on Aug. 31, 2004; U.S. Patent Application Publication No.20060193300, entitled “Method and apparatus for monitoring multiplenetwork segments in local area networks for compliance with wirelesssecurity policy”, published on Aug. 31, 2006; and U.S. Pat. No.7,002,943, entitled “Method and system for monitoring a selected regionof an airspace associated with local area networks of computingdevices”, issued on Feb. 21, 2006.

In an alternative exemplary embodiment, the system comprising sniffersand security server can provide certain protection to LANs includingwireless networks which use outdated security controls such as WEPencryption. Certain organizations such as for example some retailershave already invested in equipment (e.g., handheld scanners) using WEPfor wireless communication encryption. WEP encryption has been shown tobe vulnerable to various attacks. Nonetheless, these organizations areforced to use WEP for wireless communication encryption as many of thehandheld scanners do not support upgrading to the more robust encryptionprotocols.

Certain attack on WEP encrypted communication can crack the encryptionkey upon observing a certain number of encrypted packets. In a typicalattack on WEP encryption, the attacker first collects a certain numberof wireless packets (802.11 frames) that have been encrypted with anencryption key (which is unknown to the attacker to start with). Theattacker can passively sniff such packets from wireless communicationbetween the AP and its connected client. Alternatively, in order toexpedite the collection of packets, the attacker can employ certainactive injection techniques such as packet replays. The packet injectiontechniques prompt the AP and/or the client to send encrypted packets ata faster rate than what would be observed during their normalcommunication. Once a certain number of packets are collected, the WEPcracking algorithms such as one described by Fluhrer et al. in a papertitled “Weaknesses in the Key Scheduling Algorithm of RC4”, which isalso called as FMS attack (named after its discoverers Fluhrer, Mantin,and Shamir), can be run on the collected packets to infer the encryptionkey. Once encryption key is inferred, the attacker can eavesdrop anddecrypt the wireless communication and can even get connected to thewireless network. The attacker can impersonate (e.g., spoof) the MACaddress of an authorized client to remain undetected and/or getconnected through APs which use MAC address based access control.

In an embodiment, the present invention provides certain protection forWEP encrypted communications. An exemplary method 1000 for providingcertain protection for WEP encrypted communications according to anembodiment of the present invention is illustrated in FIG. 10. Thisdiagram is merely an example, which should not unduly limit the scope ofthe invention. One of ordinary skill in the art would recognize othervariations, modifications, and alternatives based on the teachings ofthe present specification. As shown, the method can detectcharacteristics of the wireless network which simplify the WEP keycracking for the attacker (step 1002). For example, the FMS and certainother key cracking algorithms use certain values in the WEP encryptedpackets called “weak IVs” (Initialization Vectors) for the key cracking.The system of present invention can generate alerts when weak IVs aredetected in packets transmitted from devices in the authorized wirelessnetworks. As yet another example, having certain setting for parametercalled PSPF (Publicly Secure Packet Forwarding) on the authorized APssimplifies the active injection based attacks. The method and system ofthe present invention can generate notifications if such PSPF setting isdetected on authorized AP.

As shown in FIG. 10, the method can detect the WEP attacker using activeinjection (step 1004). The presence of active injection attacker can bedetected via detection of abnormally high volume of ARP request packetswith the same value of IV in them being transmitted over the wirelesschannel of the AP. In this embodiment, the attacker captures alegitimate ARP request transmitted from the station, and replays itmultiple times to extract ARP responses from the AP. Alternatively or inaddition, occurrence of impersonation for the station's MAC address,often called as MAC address spoofing, can also be detected to infer thepresence of active WEP attacker. According to certain technique todetect MAC address spoofing, packets including the MAC address as thesource/transmitter of the packets are analyzed. More particularly, thesequence numbers included within the packets are analyzed. In theabsence of MAC address spoofing, the sequence numbers typically increasewith time in a regular fashion, i.e., until wraparound occurs. In thepresence of station MAC spoofing, anomaly can be detected among sequencenumbers. As merely an example, the sequence numbers can be seen to goforward and backward with time. Certain additional details aboutdetecting MAC address spoofing can be found in the commonly assignedpatent application Ser. No. 11/770,760, entitled “Method and system fordetecting address rotation and related events in communicationnetworks”, filed on Jun. 29, 2007, which is hereby incorporated byreference herein.

The method 1000 can detect an attacker connecting to the authorizedwireless network using the cracked key via detection of frames includingspoofed client MAC address. The sniffers can block the client's MACaddress from connecting to the AP (e.g., using deauthentication basedprevention technique) (step 1006). This can foil the active injectionbased WEP attack and/or foil the attacker from connecting to the networkusing the cracked WEP encryption key. In an alternative embodiment, step1006 can be performed even if active injection WEP cracking is notdetected as in step 1004. This is to protect from passive WEP crackingattacker.

In yet an alternative exemplary embodiment, the system comprisingsniffers and security servers can detect certain Man-in-the-Middleattacks, for example, which can be launched via a MAC spoofing process.In the MAC spoofing process, an attacker can operate an AP in a vicinityof the authorized wireless network which masquerades as an AP in theauthorized wireless network, for example, by advertising the sameidentity information (e.g., wireless MAC address, SSID etc.) as that ofthe authorized AP. Moreover, the attacker AP can deploy techniques suchas high gain antennas to increase its signal strength. Such an AP canlure stations in the authorized wireless network with or without theirknowledge into connecting to it and then exploit the stations by actingas Man-in-the-Middle in the stations' wireless communication.

The method according an embodiment of the invention to detect MACspoofing works by capturing beacon (or probe response) packetstransmitted from an AP with a given MAC address, and recording valuescontained in the TSF (Time Stamp Field) of the beacon packets. The TSFis a 64-bit field in the IEEE 802.11 beacon packets that contains AP'stimestamp. The TSF value represents value in microseconds and incrementsas the time progresses (for examples, by one count every microsecondinterval). The TSF counter starts from zero every time the AP device isreset/(re)started. The method of present invention exploits this fact bycomputing an approximation to the reset/(re)start time of the AP devicewith a given MAC address from the TSF value contained in the capturedbeacon packet (e.g. reset/(re)start time=time instant the beacon packetfrom a given MAC address is captured−the TSF value), and detecting ifreset/(re)start times computed for a given MAC address are apart fromeach other beyond reasonable margin of error (e.g. 1 second). If so, MACspoofing (i.e., presence of attacker AP masquerading as authorized AP)is inferred.

A method 1100 to detect MAC spoofing according to a specific embodimentis illustrated in FIG. 11. This diagram is merely an example, whichshould not unduly limit the scope of the claims herein. One of ordinaryskill in the art would recognize many variations, modifications, andalternatives. The method advantageously eliminates false positivesresulting from an authorized AP indeed undergoing a reset/(re)startoperation. In step 1101, a beacon packet transmitted from an AP with agiven MAC address is captured by the sniffer. In step 1102, a mostrecent approximation to reset/(re)start time of the AP with the givenMAC address is computed as the capture time of the beacon packet minusthe TSF value in the beacon packet. In step 1103, the most recent valueof approximation is compared with the approximation value computed (andstored) from a beacon packet from the given MAC address captured by thesniffer in the past. Preferably, the comparison is done considering areasonable margin of error, for example 1 second or 10 seconds. As shownin step 1104, if the most recent approximation value is found smallerthan the past computed value, MAC spoofing is inferred. As shown in step1105, if the most recent approximation value is found greater than thepast computed value, MAC spoofing is not inferred so as to avoid falsealarms due to reset/(re)start of an authorized AP.

Many alternative embodiments of the method to detect MAC spoofing arepossible. In an embodiment, the hardware/software directed to executethe steps of the method are provided within a single sniffer. In analternative embodiment, the foregoing method to detect MAC spoofing isperformed in a distributed fashion. That is, information associated withor derived from TSF values in beacon packets from a given MAC addresscaptured by plurality of sniffers is received by the security server andprocessed as described to detect MAC spoofing. The informationassociated with local reference times at different sniffers is usedduring the processing. The distributed operation advantageously detectsMAC spoofing wherein the authorized AP and the attacker AP are withinthe radio coverage range of different sniffers, but none of thesedifferent sniffers is able to capture beacon packets from both of theseAPs. In an embodiment, when a spoofing is detected for a MAC address,the indication of the MAC address is passed to a prevention process.

In yet a further alternative exemplary embodiment, the system comprisingsniffers and security servers can detect certain DOS attacks. A logicalflow of steps in a method 1200 for detecting certain deauthenticationattack according to an embodiment of the present invention isillustrated in FIG. 12. This diagram is merely an example, which shouldnot unduly limit the scope of the claims herein. One of ordinary skillin the art would recognize many variations, modifications, andalternatives.

As shown in FIG. 12, at step 1202, the sniffers scan radio channels andcollect information about frames (an IEEE 802.11 format packet is oftenreferred to as a frame) observed on those channels. At step 1204, asubset of frames among the observed frames that are of type“deauthentication” and include as source address a wireless MAC addressof an authorized AP are identified. At step 1206, a number of suchframes detected over a certain period of time is computed and comparedagainst a predetermined threshold value. If a threshold is exceeded, atstep 1208 an indication of deauthentication attack is generated. Certainadditional details about detecting DOS attacks in wireless networks canbe found in the U.S. patent application Ser. No. 11/770,760, entitled“Method and system for detecting address rotation and related events incommunication networks”, commonly assigned, which is hereby incorporatedby reference herein.

In an embodiment, when a DOS attack is detected, the indication ispassed to a prevention process. The prevention process can suppress thewireless transmissions of the DOS attacker to certain extent andfacilitate legitimate communication to continue a certain extent.Certain additional details about the prevention process for DOS attackscan be found in the U.S. Patent Application Publication No. 20060165078,entitled “Method and system for allowing and preventing wireless devicesto transmit wireless signals”, published on Jul. 27, 2006, commonlyassigned, which is hereby incorporated by reference herein.

The various embodiments of the present invention may be implementedusing a computer based system. The computer based system may include aprocessing unit, an input device, a display unit, and a communicationinterface. The processing unit may include a microprocessor. Themicroprocessor may be connected to a data bus. The microprocessor mayinclude any processor-based systems using microcontrollers, digitalsignal processors (DSP), reduced instruction set circuits (RISC),application specific integrated circuits (ASICs), logic circuits, andany other circuit or processor capable of executing the computer code(program) for performing the functions described herein. The computerbased system may also include a memory. The memory may include RandomAccess Memory (RAM) and/or Read Only Memory (ROM). Alternatively or inaddition, the memory may include one or more hard disks and/or one ormore portable data storage devices such as floppy disk, compact disk,jump drive and the like. The memory can also be other similar means forstoring computer programs, program data etc.

The computer code may include various commands that instruct theprocessing unit to perform specific operations such as the processes ofthe various embodiments of the present invention. The set ofinstructions may be in the form of a software program. The software maybe in various forms such as system software or application software.Further, the software may be in the form of a collection of separateprograms, a program module within a larger program, or a portion of aprogram module. The software also may include modular programming in theform of object-oriented programming. The processing of input data by theprocessing unit may be in response to user commands, or in response toresults of previous processing, or in response to a request made byanother processing unit.

Although specific embodiments of the present invention have beendescribed, it will be understood by those of ordinary skill in the artthat there are other embodiments that are equivalent to the describedembodiments. Accordingly, it is to be understood that the invention isnot to be limited by the specific illustrated embodiments, but only bythe scope of the appended claims.

What is claimed is:
 1. A Software-as-a-Service (SaaS) based method forproviding wireless vulnerability management for local area computernetworks, the method comprising: providing a security server, thesecurity server being hosted by a service provider entity, the securityserver being coupled to the Internet, the security server being adaptedto provide analysis of data associated with wireless vulnerabilitymanagement for a plurality of local area computer networks of aplurality of customer entities, respectively; creating a workspace forwireless vulnerability management for a first customer entity on thesecurity server, the creating the workspace being responsive to arequest from the first customer entity to subscribe to wirelessvulnerability management; receiving configuration information associatedwith the workspace for the first customer entity at the security server;supplying one or more sniffers to the first customer entity; receivingconnection requests at the security server over the Internet from theone or more sniffers, respectively, subsequent to the one or moresniffers being deployed at premises of the first customer entity;associating identities of the one or more sniffers with the workspacefor the first customer entity at the security server; receiving at thesecurity server information associated with wireless activity monitoredby the one or more sniffers at the premises of the first customerentity, the receiving being receiving over the Internet; processing thereceived information associated with the wireless activity within theworkspace for the first customer entity using the security server; andmetering usage of the workspace for wireless vulnerability managementfor the first customer entity.
 2. The method of claim 1 wherein theservice provider entity and the first customer entity being businessentities separate from one another.
 3. The method of claim 1 wherein themetering the usage of the workspace for the first customer entitycomprising: tracking usage of the one or more sniffers at the premisesof the first customer entity for the monitoring of the wirelessactivity; and charging the first customer entity periodically based atleast upon the usage of the one or more sniffers.
 4. The method of claim1 wherein the metering the usage of the workspace for the first customerentity comprising: tracking vulnerabilities detected during a selectedperiod; and charging the first customer entity based at least upon thevulnerabilities detected during the selected period.
 5. The method ofclaim 1, and further comprising receiving a selection of one or moremodules associated with the workspace for the first customer entity atthe security server.
 6. The method of claim 5 wherein the metering theusage of the workspace for the first customer entity comprising chargingthe first customer entity based at least upon the selection of the oneor more modules.
 7. The method of claim 5 wherein the one or moremodules comprise at least one module selected from the group consistingof scanning module, threat assessment module, remediation module,location tracking module, reporting module, RF visualization module, andmanaged services module.
 8. The method of claim 5 wherein the receivingthe selection of the one or more modules associated with the workspacefor the first customer entity at the security server comprising:receiving a request to initiate logging into the workspace for the firstcustomer entity from a computer, the request being initiated over theInternet; transferring information associated with a listing of modulescomprising the one or more modules to the computer over the Internet;and receiving the selection of the one or more modules at the securityserver over the Internet, the selection being inputted by a personoperating the computer using the listing of the modules.
 9. The methodof claim 5 wherein the processing the received information associatedwith the wireless activity within the workspace for the first customerentity using the security server comprising: authenticating the receivedinformation using a digital secret shared between the security serverand the first customer entity; accessing the configuration informationassociated with the workspace for the first customer entity; accessingthe module selection information associated with the workspace for thefirst customer entity; processing the received information based atleast upon the configuration information and the module selectioninformation to generate a result information; and triggering one or moreactions based at least upon the result information.
 10. The method ofclaim 1 wherein the receiving the configuration information associatedwith the workspace for the first customer entity at the security servercomprising receiving identity information associated with one or moreauthorized wireless devices within the local area network of the firstcustomer entity.
 11. The method of claim 1 wherein the receiving theconfiguration information associated with the workspace for the firstcustomer entity at the security server comprising: receiving informationassociated with a hierarchy of physical locations within the premises ofthe first customer entity; and receiving information related toassociation between the one or more sniffers and the physical locations,respectively.
 12. The method of claim 1 wherein the receiving theconfiguration information associated with the workspace for the firstcustomer entity at the security server comprising receiving informationassociated with notification of one or more wireless vulnerabilities tothe first customer entity.
 13. The method of claim 1 wherein thereceiving the configuration information associated with the workspacefor the first customer entity at the security server comprisingreceiving information associated with a selection of one or morereports, the one or more reports to be generated based upon theinformation associated with the monitored wireless activity received atthe security server.
 14. The method of claim 1 wherein the receiving theconfiguration information associated with the workspace for the firstcustomer entity at the security server comprising: receiving a requestto initiate logging into the workspace of the first customer entity froma computer, the request being initiated over the Internet; transferringinformation associated with one or more configuration screens to thecomputer over the Internet; displaying the one or more configurationscreens on the computer; and receiving the configuration information atthe security server over the Internet, the configuration informationbeing inputted by a person operating the computer using the one or moreconfiguration screens displayed on the computer.
 15. The method of claim1 wherein a username, a password, and an administrative privilege beingassociated with the workspace for the first customer entity on thesecurity server, the administrative privilege being a configurationmodification privilege, a viewing privilege, or a module selectionprivilege.
 16. The method of claim 1 wherein the information associatedwith the wireless activity monitored by the one or more sniffers at thepremises of the first customer entity including identities of one ormore wirelessly active access points and one or more wirelessly activeclients within and/or in a vicinity of the premises of the firstcustomer entity.
 17. The method of claim 1 wherein the informationassociated with the wireless activity monitored by the one or moresniffers at the premises of the first customer entity includinginformation associated with wireless connections among a plurality ofwireless devices within and/or in a vicinity of the premises of thefirst customer entity.
 18. The method of claim 1 wherein the informationassociated with the wireless activity monitored by the one or moresniffers at the premises of the first customer entity includinginformation associated with radio signal strength parameters associatedwith the wireless activity.
 19. A server computer device adapted toprovide wireless vulnerability management as Software-as-a-Service(SaaS) for a plurality of private computer networks of a plurality ofcustomer entities, respectively, the server computer comprising: amemory unit storing computer executable instructions; a processor unitfor executing the computer executable instructions; and a communicationinterface for coupling the server computer device to a computer network;wherein the computer executable instructions are adapted to perform thesteps of: receiving information associated with wireless activity usingthe communication interface from a plurality of sets of sniffers overthe Internet, the plurality of sets of sniffers being positioned withinpremises of the plurality of customer entities, respectively;maintaining a plurality of workspaces for wireless vulnerabilitymanagement within the memory unit for the plurality of customerentities, respectively; identifying a plurality of portions of thereceived information that are associated with the plurality of customerentities, respectively; and processing the plurality of portions usingthe processor unit in accordance with the plurality of workspaces,respectively.
 20. A Software-as-a-Service (SaaS) based method foravailing wireless vulnerability management for local area computernetwork, the method comprising: generating a request for wirelessvulnerability management for a local area network of a first customerentity; receiving login information associated with a workspace for thefirst customer entity, the workspace being created on a security serverand being for wireless vulnerability management for the local areanetwork of the first customer entity, the security server being hostedby a service provider entity, the security server being coupled to theInternet, the security server being adapted to provide analysis of dataassociated with wireless vulnerability management for a plurality oflocal area computer networks of a plurality of customer entities,respectively; providing configuration information associated with theworkspace for the first customer entity to the security server;receiving one or more sniffers at premises of the first customer entity;connecting the one or more sniffers to the local area network of thefirst customer entity; generating connection requests to the securityserver over the Internet from the one or more sniffers, respectively,subsequent to the one or more sniffers being connected to the local areanetwork of the first customer entity; transferring identity informationfrom the one or more sniffers to the security server, the identityinformation being used to associate the one or more sniffers with theworkspace for the first customer entity; sending to the security serverinformation associated with wireless activity monitored by the one ormore sniffers at the premises of the first customer entity, the sendingbeing sending over the Internet; receiving results from processing ofthe sent information associated with the wireless activity, theprocessing being using the security server and being performed withinthe workspace for the first customer entity; and generating paymentauthorization based at least upon usage of the workspace for the firstcustomer entity.